Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using the EС algorithm in Nss provider gives an error when creating the CSR #177

Open
OlhaPeculiar opened this issue Jul 25, 2024 · 4 comments
Open

Using the EС algorithm in Nss provider gives an error when creating the CSR #177

OlhaPeculiar opened this issue Jul 25, 2024 · 4 comments
Assignees
@microshine
Labels
bug question

Comments

@OlhaPeculiar
Copy link
Collaborator

image
@OleksandrSPV
Copy link
Collaborator

There is an error.
I use createPKCS10 method from @peculiar/fortify-client-core
image
@microshine @donskov Do you have any ideas?

@donskov
Copy link
Collaborator

donskov commented Jul 25, 2024

@OleksandrSPV Try on the current tools. Maybe this provider doesn't support EС algorithm.

@OleksandrSPV
Copy link
Collaborator

@OleksandrSPV Try on the current tools. Maybe this provider doesn't support EС algorithm.

You are right @donskov
image
The same error there.
What we should do? @OlhaPeculiar

@microshine
Copy link
Contributor

I conducted some research on the issue of saving CSR to a token, and here is what I found:

When we copy a CSR to the token using provider.certificateStorage.setItem, we use the C_CopyObject function on the PKCS#11 module. According to the implementation code of the NSS softoken, this function is implemented by sftk_CopyTokenObject.

https://github.com/servo/nss/blob/master/lib/softoken/pkcs11u.c#L1544C1-L1552

This function, in turn, uses sftk_CopyTokenAttributes, which is likely causing the CKR_ATTRIBUTE_INVALID error.

https://github.com/servo/nss/blob/master/lib/softoken/pkcs11u.c#L1489-L1536

Interestingly, even if we find and fix the erroneous attribute, we will encounter another error, CKR_DEVICE_ERROR, because sftk_CopyTokenObject does not support CKO_DATA.

Here is the switch..case statement indicating the supported object types:

https://github.com/servo/nss/blob/master/lib/softoken/pkcs11u.c#L1504-L1533

Therefore, it appears that we should not allow saving CSR to the token for the NSS provider.

Ideally, to avoid such issues across different providers and applications, we need to extend the Fortify API to provide more information about the provider's capabilities. However, this is a significant task that requires careful planning and implementation. For now, I suggest implementing a check at the client level. Currently, the client can obtain a relatively consistent provider name, which offers a high probability of identifying the provider. For example, MacOS Crypto for macOS and Firefox NSS for NSS. We can add a configuration at the client level to restrict provider capabilities by name. For instance, we can add Firefox NSS with an indication that it does not support saving CSR to the token.

Something like this:

const PROVIDER_LIMIT = {
  'Firefox NSS': ['csr:save'],
}

This approach will help us manage provider-specific limitations until we can implement a more comprehensive solution in the Fortify API.

@microshine microshine mentioned this issue Oct 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@microshine microshine

Labels
bug question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@microshine @donskov @OleksandrSPV @OlhaPeculiar